From: Robert Slaski (robin@atm.com.pl)
Date: Sun Dec 15 2002 - 08:10:03 GMT-3
Jake Jake wrote:
> But if you use port-security with do1x and the tacacs server specifys which
> ip address is authorized, will that work?
>
I don't think so. 802.1X capable switch (ex.3550) acts only as a proxy
device that forwards authentication messages between client (PC
workstation) and authentication server (RADIUS/ACS). When authentication
server grants user permission to access the network the switch then
unlocks the port the user's workstation is connected to. The concept is
simple, the implementation is quite more complex.
The whole concept is that this process is _user_ based authentication,
not device authentication (like former methods of port security, IP
filtering etc.). This allows for example for logging to a network from
any PC connected to it and you'll be granted access with all you policy
settings the administrator gave to you (VLAN, IP, policy, filters, QoS
settings etc.). So the foundation of 802.1X is that the whole process
should be idependent of the device you physically connect to (a switch).
There's fine description of 802.1X in 3550 users' manual but there are
tons of articles on it, just type '802.1X' in google. SANS has fine
paper on it, and if you're masochist you could go to the roots and read
802.1X specs.
mikrobi,
-- .
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:46 GMT-3